{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33499", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.888Z", "datePublished": "2026-03-23T16:11:57.528Z", "dateUpdated": "2026-03-23T17:42:30.355Z"}, "containers": {"cna": {"title": "AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2"}, {"name": "https://github.com/WWBN/AVideo/commit/f154167251c9cf183ce09cd018d07e9352310457", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/f154167251c9cf183ce09cd018d07e9352310457"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T16:11:57.528Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch."}], "source": {"advisory": "GHSA-7292-w8qp-mhq2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:42:06.040137Z", "id": "CVE-2026-33499", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:42:30.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33499", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:42:06.040137Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:42:14.415Z"}}], "cna": {"title": "AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php", "source": {"advisory": "GHSA-7292-w8qp-mhq2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/f154167251c9cf183ce09cd018d07e9352310457", "name": "https://github.com/WWBN/AVideo/commit/f154167251c9cf183ce09cd018d07e9352310457", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T16:11:57.528Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33499", "state": "PUBLISHED", "dateUpdated": "2026-03-23T17:42:30.355Z", "dateReserved": "2026-03-20T16:59:08.888Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T16:11:57.528Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, las plantillas `view/forbiddenPage.php` y `view/warningPage.php` reflejan el par\u00e1metro `$_REQUEST['unlockPassword']` directamente en los atributos de una etiqueta HTML `` sin ninguna codificaci\u00f3n de salida o saneamiento. Un atacante puede crear una URL que escapa del atributo `value` e inyecta atributos HTML arbitrarios, incluyendo manejadores de eventos JavaScript, logrando XSS reflejado contra cualquier visitante que haga clic en el enlace. El commit f154167251c9cf183ce09cd018d07e9352310457 contiene un parche."}], "id": "CVE-2026-33499", "lastModified": "2026-03-24T18:11:56.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T17:16:51.180", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/f154167251c9cf183ce09cd018d07e9352310457"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T19:38:45.114021+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to a version that includes the mitigation (apply the commit f154167251c9cf183ce09cd018d07e9352310457 or newer than 26.0).", "If an upgrade is not immediately possible, edit view/forbiddenPage.php and view/warningPage.php to encode the unlockPassword parameter (for example, using htmlspecialchars) before outputting it into the HTML attribute.", "Consider disabling the unlockPassword functionality or removing the parameter from public URLs until a patch is available."], "summary": {"action": "Apply Patch", "impact": "Reflected XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all community editions of WWBN AVideo, specifically versions 26.0 and earlier. The open source platform\u2019s view/forbiddenPage.php and view/warningPage.php files are responsible for rendering the pages, and the faulty code remains until the patch is applied. No third\u2011party CPEs were listed beyond the generic AVideo CPE.", "description_and_impact": "The flaw resides in AVideo\u2019s view templates, where the unlockPassword request parameter is inserted directly into an HTML input tag without any encoding. By inserting a payload that closes the value attribute and adds JavaScript event handlers, an attacker can force the browser to execute code when a victim clicks a crafted link. This is a classic reflected cross\u2011site scripting vulnerability (CWE\u201179) that can compromise a visitor\u2019s session or steal credentials.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates a moderate risk, and the EPSS score of less than 1\u202f% suggests a low chance of current exploitation. The vulnerability is not included in CISA\u2019s KEV catalog. An attacker can exploit it remotely by crafting a URL that supplies a malicious unlockPassword value; the victim must then visit the link. Because the flaw is reflected and unauthenticated, the exploitation effort is low, but the potential impact on confidential user data or session hijacking makes it a priority to address."}}}}, "created": "2026-03-24T10:33:36.809233+00:00", "updated": "2026-03-25T20:37:27.915333+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}